If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Originally posted here by rapier57 Yeah, I just read the ISC diary. I passed that to my former boss. He'll get a chuckle out of that, seeing as how we used to fight the C-suite mentality that faculty can do no wrong. The big question is: Why did the powers that be in the university not know that the activity was illegal, and could possibly be a federal offense if the students went outside the campus or actually got into a live business?

I'd be for getting the professor turned into the feds and make a poster boy of him.

I totally agree, the professor (even though it was a computer security course) should not have even thought about giving an assignment like this...

This one isn't going to go away any time soon, it seems. Take a look at today's ISC (aside from the Apple updates). Also, the original Professor Packetslinger entry has been updated and there are some interesting notes.

Tom Liston has a pretty interesting entry and makes some good observations.

Exactly what parameters, what restrictions, and what applicable laws and regulations were conveyed to the students?

This is actually what's really important. I've done a similar assignment to students when I taught an Intro to Security class. Here's what I did different however (and what that prof should have done):

1. "Investigations" to external entities were done as "passive". That is, use only info found online and NO active probing of machines (e.g., no Nmap, nessus, etc.). Tools that were used: whois, traceroute, dig, searches through Google, Usenet, etc.

2. Probative/Active investigations were done on a server that was setup for the class called Tank (it was aptly named). Students could pound the crap out of it whether within the classroom or from home (as long as they were registered for the class and they had signed an agreement of the school's IT policy).

Either way, students were told -- very emphatically by me -- that any laws violated, doing any active investigations against external entities, etc. would result in not only an F but possible explusion. For the most part it worked fine although required tweaking as time went on (students one year interpreted a later assignment for going after other students in the class to include the school's wireless network -- I had to specify that it was within the WIRED classroom only).